From owner-freebsd-questions Fri Aug 21 23:13:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA02457 for freebsd-questions-outgoing; Fri, 21 Aug 1998 23:13:15 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from lucy.bedford.net (lucy.bedford.net [206.99.145.54]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA02445 for ; Fri, 21 Aug 1998 23:13:12 -0700 (PDT) (envelope-from djv@lucy.bedford.net) Received: (from djv@localhost) by lucy.bedford.net (8.8.8/8.8.8) id BAA06910; Sat, 22 Aug 1998 01:56:03 -0400 (EDT) (envelope-from djv) Message-Id: <199808220556.BAA06910@lucy.bedford.net> Subject: Re: wierd In-Reply-To: <35DE5168.8DF53FD@vagner.com> from George Vagner at "Aug 22, 98 00:04:40 am" To: vagner@vagner.com (George Vagner) Date: Sat, 22 Aug 1998 01:56:03 -0400 (EDT) Cc: djv@bedford.net, vagner@mutsgo.kf7nn.com, questions@FreeBSD.ORG Reply-To: djv@bedford.net From: djv@bedford.net X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG George Vagner wrote > there was no access to the console other than myself > ever. how could someone install a root kit without > root access. Obtain a login as an ordinary user, then exploit a local way of getting root. A failed attempt to login locally, like "login" or "telnet localhost", might generate such error messages. I'd look for activity in all system logs around the time in question, and inspect the password database for alterations. Of course, such messages can be faked, too. Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message